Investigation of threats using queryable records of behavior
Abstract
A method for threat detection may include obtaining data that is related to a series of digital activities performed with accounts on a channel through which employees of an enterprise can communicate with other employees of the enterprise or accounts external to the enterprise. The method may include parsing the data to identify an attribute of each digital activity. The method may include generating one or more metrics indicative of a threat posed by a respective digital activity of the series of digital activities. The method may include generating a plurality of digital profiles for at least some of the employees of the enterprise based on the series of digital activities and comprising the one or more metrics. The method may include generating a graphical user interface indicating a risk category associated with at least some of the digital activities of the series of digital activities.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for threat detection, comprising:
obtaining data that is related to a series of digital activities performed with accounts on a channel through which employees of an enterprise can communicate with other employees of the enterprise or accounts external to the enterprise; parsing the data to identify an attribute of each digital activity; generating, based on the attribute of each digital activity, one or more metrics indicative of a threat posed by a respective digital activity of the series of digital activities; generating a plurality of digital profiles for at least some of the employees of the enterprise based on the series of digital activities and comprising the one or more metrics, each respective digital profile comprising a historical summary of conduct on the channel associated with each respective employee of the at least some of the employees; and generating, for display on a user device, a graphical user interface associated with the plurality of digital profiles, the graphical user interface indicating a risk category associated with at least some of the digital activities of the series of digital activities.
2 . The method of claim 1 , wherein the one or more metrics comprises an index corresponding to a level of risk associated with the threat posed by respective digital activities.
3 . The method of claim 2 , wherein generating a first digital profile of the plurality of digital profiles comprises:
determining a plurality of digital activities of the series of digital activities associated with a first employee; and sorting the plurality of digital activities into a plurality of databases based on respective indexes of the plurality of digital activities.
4 . The method of claim 1 , wherein the attribute comprises at least one of (i) a reception date, (ii) a transmission date, (iii) a subject, (iv) an identifier of an account, or (v) content of a communication.
5 . The method of claim 1 , comprising:
in response to a first interaction with the graphical user interface indicating a first criterion, filtering the plurality of digital profiles such that the graphical user interface displays information corresponding to the first criterion.
6 . The method of claim 5 , comprising:
in response to a second interaction with the graphical user interface indicating a second criterion, filtering the information corresponding to the first criterion such that the graphical user interface displays information corresponding to both the first criterion and the second criterion.
7 . The method of claim 5 , wherein the first criterion comprises a sender name, a sender email address, a recipient name, a recipient email address, a subject, a threat type, a threat level, or a remediation status.
8 . The method of claim 1 , comprising:
obtaining a plurality of signals corresponding to a plurality of digital activities of the series of digital activities associated with a respective digital profile of the plurality of digital profiles; and generating, for each digital profile of the plurality of digital profiles, a metric corresponding a level of risk associated with the respective digital profile based on the plurality of signals.
9 . The method of claim 8 , wherein the plurality of signals indicate whether a digital activity of the plurality of digital activities is representative of account details being exposed, and wherein the level of risk indicates a probability of account compromise associated with the respective digital profile.
10 . The method of claim 8 , further comprising:
determining, based on the metric, a remediation action to address the threat posed by the plurality of digital activities.
11 . A system, comprising:
one or more memory devices configured to store instructions thereon that, when executed by one or more processors, cause the one or more processors to:
obtain data that is related to a series of email communications performed with accounts on a channel through which users associated with an enterprise can communicate with other users associated with the enterprise or accounts external to the enterprise;
parse the data to identify an attribute of each email communication;
generate, based on the attribute of each email communication, one or more metrics indicative of a threat posed by a respective email communication of the series of email communications;
generate a plurality of digital profiles for at least a portion of the users associated with the enterprise based on the series of email communications and comprising the one or more metrics, each respective digital profile comprising a historical summary of conduct on the channel associated with each respective user of the at least the portion of the users associated with the enterprise; and
generate, for display on a user device, a graphical user interface associated with the plurality of digital profiles, the graphical user interface indicating a risk category associated with at least some of the email communications of the series of email communications.
12 . The system of claim 11 , wherein the one or more metrics comprises an index corresponding to a level of risk associated with the threat posed by respective email communications.
13 . The system of claim 12 , wherein the instructions, when executed, cause the one or more processors to generate a first digital profile of the plurality of digital profiles by:
determining a plurality of email communications of the series of email communications associated with a first user; and sorting the plurality of email communications into a plurality of databases based on respective indexes of the plurality of email communications.
14 . The system of claim 11 , wherein the risk category is associated with phishing, authentication, or security.
15 . The system of claim 11 , wherein in response to a first interaction with the graphical user interface indicating a first criterion, the instructions, when executed, cause the one or more processors to:
apply a filter to the plurality of digital profiles such that the graphical user interface displays information corresponding to the first criterion.
16 . The system of claim 15 , wherein in response to a second interaction with the graphical user interface indicating a second criterion, the instructions, when executed, cause the one or more processors to:
apply a second filter to the information corresponding to the first criterion such that the graphical user interface displays information corresponding to both the first criterion and the second criterion.
17 . The system of claim 15 , wherein the first criterion comprises a sender name, a sender email address, a recipient name, a recipient email address, a subject, a threat type, a threat level, or a remediation status.
18 . The system of claim 11 , wherein the instructions cause the one or more processors to:
obtain a plurality of signals corresponding to a plurality of email communications of the series of email communications associated with a respective digital profile of the plurality of digital profiles; and generate, for each digital profile of the plurality of digital profiles, a metric corresponding a level of risk associated with the respective digital profile based on the plurality of signals.
19 . The system of claim 18 , wherein the plurality of signals indicate whether an email communication of the plurality of email communications is representative of account compromise, and wherein the level of risk indicates a probability of account compromise associated with the respective digital profile.
20 . One or more non-transitory computer readable media storing instructions thereon that, when executed by one or more processors, causes the one or more processors to perform operations comprising:
obtaining data that is related to a series of digital activities performed with accounts on a channel through which employees of an enterprise can communicate with other employees of the enterprise or accounts external to the enterprise; parsing the data to identify an attribute of each digital activity; generating, based on the attribute of each digital activity, one or more metrics indicative of a threat posed by a respective digital activity of the series of digital activities; generating a plurality of digital profiles for at least some of the employees of the enterprise based on the series of digital activities and comprising one or more metrics, each respective digital profile comprising a historical summary of conduct on the channel associated with each respective employee of the at least some of the employees; and generating, for display on a user device, a graphical user interface associated with the plurality of digital profiles, the graphical user interface indicating a risk category associated with at least some of the digital activities of the series of digital activities.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.